Ransomware, Wannacry, Extortion discussed on The CyberWire
And joining me once again as Justin Harvey he's the global incident response leader at accenture Justin. It's always great to have you back and we recently passed the third anniversary of wannacry. I wanted to check in with you on some of the things that you've been tracking when it comes to ransomware and how it's evolved over the past three years. Sure. The third anniversary of wannacry was just last month and I've gotta say wannacry was a pivotal moment in cybersecurity history not because of of some of the damage that it created, we've seen damage for ten fifteen twenty years. What really was surprising was that wannacry was going to be the first of many type of destructive attacks. Now, in my experience I define ransomware as destructive our because there's really there's really no difference with destructive. You don't have a means to get your data and with ransomware you may have a means if you're willing to take that risk and so with wannacry creating so much damage three years ago it really started a cascading of events in ramping up ransomware. I believe that adversaries solve this as as an opening for them to exploit victims and get a big payday. And we've seen since then ransomware has sort of expanded their scope of operations to include exfiltrated data to kind of turn up the heat on the folks at the ransoming. That's exactly right. We at accenture are seeing a lot of cases, and in fact, since the pandemic started in early March, we have seen over a fifty percent increase in ransomware cases and many of them are following the same incident life cycle. It's the adversaries that are doing a quick fish to get in get a landing spot. Quickly escalate privileges and they're installing a persistence mechanism like cobalt strike. Now, cobalt strike is an interesting tool because it is a commercially available tool out there. Primarily, it's it is intended for use by red teams and. Friendly. Teams but cobalt strike. Has Been adopted by many adversaries out there even nation states as a remote access, Trojan so these adversaries are getting in they are installing cobol strike, and then they're just kinda listening for a while they're mapping the environment, their understanding who's who and where the goods are, and then of course, once they find the goods, they are encrypting them in place as well as stealing credentials and other data. So they've kind of got a bird in the hand and the bird in the hand is they're stealing the data first and then extorting. So if they don't get their extortion money boom, they already probably monetize the first set of data that exfiltrated. In the time since wannacry has your playbook grown more sophisticated when you're called out to help an organization WHO's dealing with ransomware have things changed over the past couple of years yes. We have moved from being a primarily an investigation team that's heavily focused on understanding the WHO, the, what the why, and then moving toward expulsion, and then transformation we've moved from that model to quickly triage and help recover and environment because before the the cases that we were running both cyber criminal and nation state, it was really a bug hunt you have an adversary they are hidden in the environment and they are. Patent. acidly stealing intellectual property and exfiltration, and what we're seeing now is something different. We're seeing a an adversary get in be quiet extra trait that I set of data. Then of course, they're doing the extortion but through this extortion, they're also taking out the entire enterprise they're taking down active directory they're taking on applications and databases and things that are necessary. To create revenue or or or to fulfill the obligation of the enterprise. So for us, we are seeing more and more of that, and it's less about well who done it, and how do we get them at in the environment to how fast can we restore services? It's interesting to me that you know I remember it felt like we we might see a shift away from ransomware toward crypto mining for a little while but that really didn't play out the crypto mining kind of ran out of steam. I think that with these crypto mine our adversaries I think there were primarily looking to make a quick buck off of. The new types of cryptocurrencies out there. But I think that they're having a hard time monetize these quasi unofficial. Currencies out there. So it's very difficult for them to make money and if you're already..